You
Outro Music
Is there enough in here for you?
Yeah, me neither.
Can you hear me now?
Do I have to have this thing pretty much pressed to my lips?
Okay.
Okay, before I begin, I want to point something out that's very important to keep in mind
for the next hour and a half that I'm going to be talking,
or the next however long I'm going to be talking.
I do not work for Microsoft.
I'm not a representative of Microsoft.
I'm sitting here telling you what I know about locking down your Windows 2000 box.
You just installed Windows 2000 server.
Now what?
Okay, this is not the Microsoft official slant.
I'm not, I just want to really emphasize, I don't work for Microsoft,
and I'm in no way trying to indicate that I represent them in any way, shape, or form.
Okay, this is one man's opinion.
A little bit of background, but first of all, my name is Keith Nugent.
I didn't put that on the slide, but my name is Keith Nugent.
I work in Chicago, Illinois, as a trainer.
I train people how to set up Windows 2000, NT, Cisco, that sort of stuff.
I'm the type of person that when your boss tells you you're going to a class,
I'm the guy standing in front of you, okay?
I teach everybody from people that don't even know what a computer is,
they have to learn how to turn it on, all the way up to they've been doing this for 20 years,
and now they just need to learn the next operating system,
or how to configure the Cisco router that they just had shipped in, okay?
The topic, how to lock down your Windows 2000 boxes.
Again, this is, you just ordered a server, or you just installed a server,
you just threw Windows 2000 on there.
How does it come by default?
What are some of the options you have to lock things down to kind of secure things,
and what can we do to lock them down even further?
Okay, by default, Windows 2000, NT, the whole product line,
has never been ultimately secure.
You can't just install Windows 2000, walk away.
You couldn't install NT, and just walk away,
and expect that nobody is going to be able to access any of your data, okay?
But we do have some options.
We can lock things down and keep people out.
You have to have the operating system plus a little bit of intelligence,
and just go in and work with it.
So we're going to take a look at default NTFS permissions.
We're going to talk briefly about what NTFS is, how it works,
what you need to have installed.
I imagine everybody here already knows what NTFS is.
I imagine everybody here already knows what NTFS is.
But I'm going to just give a brief recap for those of you who may have some misgivings
about it or who may not know about it.
We're then going to talk about what are the default settings as far as the security templates
and locking down of settings on Windows 2000 Professional.
Then we'll talk about default server, and when I talk about server,
server advanced, server data center, server, they're all just different capabilities.
The security is going to be the same on them as far as the default settings.
And then default domain controller settings.
You may be surprised at the security by default.
So the security is going to be the same on the domain controller.
I'll make the slides available.
I'll talk to the guys that are running this or I'll put them up on my website.
I'll figure out some way to make them available.
But to be honest with you, I've only got like ten slides.
There's going to be a lot of demonstrations with actually showing it rather than doing
it with slides.
So starting off with NTFS permissions, by default NTFS gives everyone full control of
of almost every file on the operating system.
The C drive at the root of C, everyone full control.
If you take a look at the properties of C,
it's just everyone full control.
Anybody can do whatever they want by default at the C drive.
Obviously, this isn't a great idea.
Well, maybe that's an understatement.
But that's the default. That's where we start off.
Nobody's saying that this is the most secure way of doing things.
It's just that start off with a blank slate,
and then you can lock things down from there.
So here we see everyone full control.
First of all, how many people are working with NT right now,
or have worked with NT in the past?
How many people are working with 2000 already?
How many people have been working with 2000 for over a year?
You probably know a lot of what I'm going to be talking about,
if you've been working with it for over a year.
But maybe I've got some stuff that you don't know.
So this is the Windows 2000.
2000 properties, dialogue box, security dialogue box.
Couple things about security.
With 2000, now we have allow or deny.
You can either allow or deny the specific types of permissions.
And of course, NTFS permissions.
NTFS permissions, there's about 15 or 20 actual permissions.
These are accumulated into the cumulative permissions,
or the standard permissions.
So the ones that we're seeing here are actually standard permissions.
These are cumulative of the actual NTFS permissions.
If I click on advanced here, and go in and edit the everyone group here,
we can see we have a bunch of other permissions as well.
Another cool thing about 2000, what's kind of new about NTFS,
is now you can say, okay, what do I want this to apply to?
Do I want this to apply to this folder only?
This folder, subfolders and files, which is the default for everything.
This folder, any subset of there.
Folder and subfolders, folder and files, subfolders and files,
just subfolders, just files.
Etc.
Okay, as you specify, I want this to propagate to a certain extent.
I'm going to leave it with that.
You can see here, if I go back, I want to apologize,
this mouse is kind of difficult to control with one hand, but.
If I want to give somebody permission, add in.
Now the first thing you're going to do, how many people have everyone full control
still on their machines now?
On their server?
Okay, yeah, I didn't think so.
First thing you're going to do is remove the everyone full control, and at the very least,
if you want, still want to give everybody full control, go in, and there's a group
called authenticated users.
That's people that you have allowed to authenticate against this machine, or against this domain,
if you're operating in a domain environment, which you probably will be with a number of
servers.
Go in and specify authenticated users and give them full control.
Then somebody can't just walk in with a box, plug into your network, and you're done.
You can start looking at the files.
Everyone is just anybody that has access to the server.
Everyone means everyone.
I'm going to go in and I'll just add in guests here for this demonstration, because it doesn't
really matter.
I'm going to give the everyone, by default they get read and execute, list folder contents
and read.
I'm just going to give them read permission, and we'll see what read permission is when
we go in a little bit further.
Also, as I go along here, if you have any questions, feel free to. . .
Ask questions throughout, or I'll of course reserve some time at the end for questions,
but I know oftentimes I get a question in my head and I don't remember it an hour later
when it's time for questions.
Here we see the default permissions are going to actually be, or the cumulative permission
of read gives us list folder, read data, read attributes, read extended attributes,
read permissions, and I believe that's it.
Yeah, that's it.
Okay.
So, any time you add in a permission, any time you give somebody permission, what you're
actually doing here is giving them a group of actual NTFS permissions.
You'll also notice on this advanced box, down here there's a reset permission on all
child objects to enable propagation of inheritable permissions.
What this means is, when I set these permissions, I want this to inherit down to all of the
child objects.
Okay.
So, if I go in and I set permission on the C drive under NT4. . .
Now, what happened?
I had that permission set on the C drive, right?
Now if I go in and set something on the C drive, let me drill down a little bit here
on my C drive, we'll go to program files, just for fun, and we'll see if we click on
everyone here, where the heck is it?
There's no everyone.
Okay.
Everyone's not on the program files.
That was a bad choice of example.
Okay, here we see everyone, and I don't know if you guys can, yeah, it shows up pretty
well there.
These are grayed out.
I can't uncheck these boxes.
These are inherited permissions, so any time you see a gray checkbox and they're pissing
you off because you can't uncheck them, they're inherited from a parent folder.
You have to go back and find the parent folder.
If you don't want the parent information to be inherited down, just uncheck that and it's
going to give you a dollar.
Do you want to copy these permissions?
In other words, right now what we have is the C drive is where the permissions are set
and they're being inherited at a project level.
I'll get you in just one second.
They're being inherited at the projects folder level.
Do I want to copy those and have those applied directly at the projects level, or do I want
to remove them, or did I accidentally click on that checkbox and cancel?
I'm going to go ahead and say remove here, and I will see that we don't have anything.
If I click on add here, then I can add in permission, and I'm going to cancel out of
this so it doesn't actually apply.
Yeah, go ahead.
Speak up if you want, I'm deaf.
Authenticated users is going to be at the domain level.
Users is sort of a backward compatibility.
It's still there from NT4.
Authenticated users indicates user that currently has the credentials authenticated doesn't
just present the credentials at the time of type.
access. I don't know if I explained
that very well. Basically, authenticated
users is the Windows 2000 version
of users. It's a little bit more secure because
that user has a
session or an authenticated
token.
Thank you.
Okay.
Yeah, go ahead.
Okay.
That's a good question.
You've got allow and deny.
If you check allow, you're explicitly
allowing them to have that permission.
If you uncheck allow and you do not
check deny, you're implicitly
denying them that permission.
What that means is that because you're not
allowing them, then you're denying them.
However, if they have
permission somewhere else that allows them,
then they will be allowed.
Implicit denial by not
checking that just means if nowhere else
says that they have permission, then they don't have
permission. If you allow them anywhere else,
then they're allowed. If you check the
deny checkbox,
then you're explicitly denying
them. Even if they have allow somewhere else,
they're not going to be able to get in because deny
overrides allow every time. It's the way
that the access control is set up.
The denies are up at the top and it parses
through. It finds the deny and says, okay, yeah,
never mind. Does that
answer your question? Great.
Okay.
That was a good question.
So getting back to the slides, everyone full control
by default. You need to be using
NTFS to set permissions at all. Now that may seem,
a little
basic, but I've had people
come up to me and,
oh, you know, my server is
pissing me off because everybody can go in and modify
files, and I go and they're running fat.
And I'm like,
well, what about your NTFS? I asked them about
NTFS permissions. Yeah, I went in and I changed the permissions.
They were changing their share folder permissions
and didn't understand why somebody sitting at that box
was able to modify the
information. So you have to be using the NTFS
file system in order to be able to use
NTFS permissions. Okay, we just took
a look at how to set NTFS permissions.
You can go into My Computer or into
Windows Explorer. You right-click, you go
to Property Security,
add the user, and then specify what level
of permission you have. You can specify the permission
either at the cumulative
level or the standard permission,
saying read, and that's going to give them
the actual NTFS permissions, or
you can go into Advanced
and specify the individual permissions that you want
to grant them. Okay.
And then, what's new about
NTFS permissions? They're inheritable.
I can go in and specify
everyone full control,
the C drive, and that's going to propagate
down to everybody else. If I
uncheck that, it's going to, at a lower
level, if I say, do not allow inheritable
permissions, then I apply those permissions directly
at that sub-directory. Go ahead.
I'm sorry?
Yes, that's true.
Yeah, that sounds
right to me. I've
not
done much with a null user account. I generally do
training, so that's
quite possibly the actual answer.
Okay.
This is just showing you
the same screens that I already showed you.
You can either allow, deny. If it's
a white checkbox with a checkmark in there,
it's inherited. I'm sorry, it's allowed.
If it's a white checkbox,
without the checkmark in there,
then it's not specified. If it's gray,
that means that it's inherited from a
higher level, from a parent
directory of some sort.
Click on advance
and you can go in. You can click on
edit, view edit, to look at these.
Or you can add in here. So you can either add
at the previous screen,
add somebody in and add in
with the standard permissions, or you can go
to this screen, add in, and add
that user in with
specific NTFS
permissions, the actual permissions.
And then when you click on that, you can go
in and specify where you want that to
apply. This folder, subfolders, files,
or any combination thereof.
Okay.
Getting into
default security settings. Default security
settings are actually pretty lax. NTFS
permissions, I'm not really going to go into, but
basically everyone, full control of the
C drive, the WinNT, the program files
are a little bit less
wide open. They go to
authenticated users. Administrators are the only ones that can do,
uh, real, uh, modification under
WinNT. You've got a 42-day password
expiration for local accounts. Does everybody understand
the difference between a local account and a domain
account? Does anybody not understand
the difference there? Okay. A local
account is on the local machine
on, it's stored in the SAM database,
Security Accounts Manager database,
on that local machine. If I have an
account on machine A
and I want to access resource on machine B,
if I'm using my account from machine A,
I can't get that resource
on machine B. That account is stored on the
locally on that machine. A domain
account is stored in a domain controller. It's actually
stored in an active directory for Windows
2000. It's in,
uh, and you authenticate from your local
machine against the domain controller, so you
have domain credentials. If you want to access a resource on
machine B, if you're using a domain account,
basically both machines are trusting
that domain controller for authentication,
so therefore you can access a
resource there. Okay.
For the local account, for the one that only applies
to this machine, you've got a 42-day
42-day password expiration.
It's going to, by default, send, uh,
LM and NTLM responses.
Um, not gonna, uh,
go to NTLM V2 or
CareGraphs by default. And most
of the settings, when you look at the security templates,
are either not defined or they're
disabled. It's pretty wide open. You have to,
it's, they're relying on you to go in and actually
secure these things. Server
is still pretty wide open. It's gonna do basically
the same thing. 42-day password,
uh, LM
and NTLM responses, most settings not defined
or disabled. It's not real different from,
um, 2000 Professional. Now, you'd
expect, when we go to the domain controller,
you'd expect the domain controller
security would be higher, but it's actually
lower. Okay. The machine-specific
settings are even more lax than server
and professional. There's no, uh,
password restrictions
as far as, uh, the 42-day password
length. Um, it's not
gonna specify to, uh, send, uh,
or actually it does specify LM and NTLM only.
Uh, most everything
is defined for a domain controller
at the group policy level. When we're talking,
we're gonna talk about group policy in just a couple minutes here.
Okay. So security for domain controllers
is not controlled
at the actual machine. It's controlled for
all the domain controllers in general
and Active Directory specified in group policy.
Okay.
So now we're gonna take a look at
the security settings. Where do you set these security,
the security settings? How can you enhance
the security settings? How can you increase
the level of security using
default security templates?
Okay. These can be applied to individual machines
or applied to group policy.
Microsoft provides you with a group
of, uh, templates that are, uh,
pretty general, general use,
um, but they're a good way to get started.
And then you can also create your custom security
templates by either taking those default
security templates and modifying them
and saving them as your own template, or you
can create a brand new template all your own. We're gonna take
a look at these templates, how to create
them and how to use them. Okay.
Um, the security templates, what you
do is you go into an MMC,
and I'm not going to go into, uh,
the MMC right now. I've already created one.
Does everybody know how to, uh,
open up MMC and add in snap-ins?
Okay. Anybody not know how to do that?
Okay.
Um, if I get a chance later on, I'll
go through how to, uh, add in the MMC.
Uh, but for right now,
let me just show you the one that I created.
And I apologize for everything running
low. This is a really old laptop.
I think it's like a, uh,
200 with
32 mega RAM, and I've got an advanced server running
on here, so things will be a little bit slow.
Okay.
So here I added in the security template snap-in.
The templates are actually stored under
C1NT security, uh,
templates. You can go into your, uh,
directory and find those. And here
we just have basic templates. I'm gonna take a look at the
basic domain controller
template.
The way these templates work is that you
have all of the settings,
you can go in and, uh, modify
in the group policy or in the local
security on the machine
all the different settings. The idea here is
we've taken a database, and we've
applied these settings to that database. You can then take and
apply that database. Say, okay, take all the
settings from this database and apply them to the group
policy or apply them to the local machine.
So you can set all the settings
independent of the machine and then apply that
template over and over and over again
to different machines or to multiple
group policies so that you get the exact
same level of security across everywhere.
Okay, so I'm gonna take a look at the basic
DC, um,
I'm gonna walk over and point at, uh, this one. For those of you
that see that, uh, you may want to divert your eyes
over here. You've got basic domain controller,
basic server, and basic workstation.
Those are roughly, roughly
equivalent to the
default security that's applied
when you first install professional
server or
you upgrade to a domain controller.
Okay. They're not exactly
identical. There's a couple things that are different
that aren't important right now, but basically
if you have really gone in
and hosed your security, you can apply
these basic templates and that'll bring you back to
the way it was roughly the day
you installed the operating system.
Go ahead.
Actually, if you are, yeah, you can do that
and if you upgrade from NT to 2000,
in other words, you don't do a fresh install,
when you upgrade, it's going
to presume that you already have the security
in place that you want and therefore
will not apply the default security template.
In that case, if you want to bring those
up to the default Windows 2000 level,
then you'd also have to apply these basic templates.
Okay, so either A,
you've just gone over to NTFS
from FAT or FAT32
and you want to apply it, or
you've really hosed your security
or you've upgraded from NT
to 2000. Yeah, go ahead.
I'm sorry, could you repeat that?
In other words, you go in and modify
your security and you want to
make that into a template?
Yes, yes. If you've gone in
and modified it from the basic, from the default,
if you've made any changes to your
security, you can then export that
to a template so you can always go back
to that level, wherever you got yourself to.
Okay.
So,
we've got our basic server,
workstation, and domain controller.
We then have secure workstation
and server, and high-sec
DC and high-sec WC,
or WS workstation.
Okay, and we'll cover
each of those in a little bit of detail
here, but let me just take a look at basic DC
to see, we'll take a look at
how these are set.
Password policy,
not defined for anything.
Account lockout policy,
not defined for anything.
Kerberos policy, not defined for anything.
You guys see in a pattern here?
Okay. If we go in
and expand high-sec DC,
these are the default templates
that are included. And again, you can modify
these, create your
own templates, and then apply your own templates.
In fact, if anybody
goes in and installs Windows
2000 and then just says,
okay, well I'm just going to apply the high-sec DC and that'll
do everything that I need, I'll be
really disappointed in you. Okay?
Everybody has different needs, everybody has different
requirements for their server.
Yeah, go ahead.
I'm sorry?
That's a good question.
I don't know the specific answer,
however...
It has to include all of those?
Okay.
Two of three? Okay, I knew that it had to do
uppercase, lowercase,
alphanumeric characters.
What's that?
It's three out of four?
Okay, it has to have three out of four
of uppercase,
lowercase, numeric, and special characters?
Okay.
So it has to have three out of the four.
So that you don't have users using password for their
password. Okay. Or if they do
they've got, like, capital P,
password, and then a number,
and then a special character, I guess. Which is still
a hell of a lot more secure than just the word password.
So. I always tell people when they're,
uh, when, uh,
I'm telling users how to create passwords, or
I'm telling my friends how to create passwords, I tell them
to think of their favorite song, think of
the first letter from each word in the
lyric of that song, and then throw a number in the
middle. Okay, that way they're going to remember the
password real easy, but it's not going to be as crackable
as, you know, the name of their dog
or whatever. Okay, but
uh, password requirements and good password
guidelines are the subject of an entirely
different speaker, so
uh, I'll leave those alone for right now.
Okay. So password policy for
HiSecDC, we see it's going to remember
twenty-four passwords, meaning
that you can't just change your password back to the
exact same password. You have to go through twenty-four
passwords before you can reuse
a password. It still has a forty-two
days. Minimum password age, two
days. So you can't change it and then change it right
again. Minimum password
length is eight characters.
Passwords must meet complexity requirements enabled.
Restored password using reversible
encryption, uh, is
disabled. Okay, good.
Is there any kind of workaround for the
fact that you have the
multiple passwords, you can't change the password
more than once a day or once a whatever.
If the help desk changes the
person's password and says, okay, now go change it
to something else they can't, you basically
have to disable it. No, if the
uh, help desk changes it,
what you're gonna do is you're gonna give them permission to go
in and reset password. That doesn't account
against the user's changing of their password.
Right.
You can check that, they can go in and reset the password
and then check the checkbox that says, user must
change password to next logon, in which case
they'll be forced to change the password to something different
than that. So yeah,
that's not a concern as far as I've seen.
I haven't seen
that error, but if you are seeing that error, then
yeah, I guess you'd have to go in and disable
that ability.
What's that?
He was asking if
we set the password so you can't change,
you have to wait two days before you change it,
what happens if the help desk goes in
and changes the password
and then the user has to change their password
again, the user can't just go in and change their password
from what the help desk set it to because
they've gotta wait two days.
I'm pretty sure if you set it to that
checkbox, but I may be wrong.
Yeah, he was saying that it gives them
an error when the user goes in and tries to change
the password after
help desk has set it.
What was that?
Is it a Win9Xbox?
No.
So yeah, I'm not sure
what's causing that, I'm sorry.
Okay, so you can see this is a little bit
more secure than the basic
DC, it's setting some actual
password account lockout policy
still a little bit lax,
five invalid logon attempts,
the account lockout duration is zero though,
the reset account
lockout counter after 30 minutes, so
if you try five times and you
get it wrong, it's gonna lock you out for zero
seconds, and if you try
four times, it's gonna wait 30 minutes
and then give you another five tries.
So still not the most secure, but
it's better than nothing.
Okay.
Kerberos policy is not defined
because you actually
have to have it using Kerberos
across the whole system before
Kerberos policies would really make much sense.
I'm not gonna go through the settings on all
of these, this is something that you can
just sit down at your server and walk through the
MMC snap-in and look at
the different settings.
However, if I have HiSecDC
and I like that,
okay, I'm gonna go in
to my password policy and say
two days just doesn't sit well with me.
So I'm gonna go in
and change this to
41 days because
that's alright.
Okay. Obviously you'd make a lot more dramatic
change than that, but this is just for demonstration
purposes. I can then go in
and say save as. I can either say save,
and if I specify save
right there, then what that's going to do
is save HiSecDC
with these new settings. So it's gonna
modify my default template. If I don't
want to modify the default template, if I want to leave that
alone, I can say save as
and just give it a different name.
Okay, so I'll name this
HiSecDC2.
Now, if I want to apply that
template, I can apply either one of those templates,
HiSec or HiSecDC or
HiSecDC2, and they've got different settings.
So I can go in and modify,
basically, okay, I've got this template, it's doing most of
what I want, but I want to make a couple
changes, you can go in and do that.
Or you can go to security templates,
actually I think you've got to click here and right click,
I hate these context menus. Say new
template, give it a name.
I'm gonna
lock everyone out. I can put in a description
there if I want to. It'll
appear, the description appears over here on the side.
I would recommend putting a description
in there, even if you know what it's for. It's good to
have a description because then everybody else knows what it's for
too.
Okay, now it's creating a template, and this template's
gonna be absolutely blank. So go
into my lock everyone out.
Everything is
disabled or everything is not set.
Not defined.
So you've got to go in and set every
setting there. So you can either create a brand new template,
absolutely fresh, and go in and
set the settings that you want, or
you can take a
template that already exists,
either a Microsoft TeachFall template,
or one that you've created in the past, and
modify that and then save that as a new template.
So you can create these new templates.
Okay, now how do we
actually apply these templates? Well there's a couple
different ways. If you want to apply it directly
to the machine,
then you can go into
local security policy on the machine.
Import policy. Click on import policy.
It asks me which template I want to import the policy
from. I'll specify one,
and then I'll import it. Okay, I'm not gonna do that right
now because that would screw up the security on the machine.
Although it wouldn't really matter, and I'll explain
why it wouldn't matter in just a moment here.
But I can go in and just click on
open here. It would apply this template
to the local machine.
Okay.
The other way to do this is go into a group policy
and apply the group policy, or
you can go into
our tool.
.
.
And in the MMC you can
add in security configuration
and analysis. There's a command line version
of security configuration and analysis tool.
The command line version is called
secedit. Okay, so you can use
secedit. It's a command line
version of this tool. It actually
gives you greater functionality
than the graphical tool, but for the
most part, day-to-day operation
the graphical tool will do you
pretty good.
Okay, so you've got security configuration and analysis.
What we're going to do here
is we're going to go in and say, okay, I've got
my current security. I want to take a look
at how this template is going to affect that.
Okay, how many people think that just
applying everything without testing is a good
idea? Yeah, me neither.
So you want to test this. You want to see what's going to happen
beforehand. This isn't actually
testing. It's just configuration, or it's just analysis.
So I'm going to say open database.
I'll give it a new database name.
Say open.
This is an empty database.
The next thing it's going to do is ask me
which template I want to apply.
Okay. Down here at the bottom,
if I've already used this template before, I can say
clear this database before importing.
So wipe everything fresh, or
I can take
an already existing
database that I've applied one template to
and apply another template on top of that.
Because this is a brand new database, I don't have to
clear it because it's already clear.
So I'll add in high-sec
to
the one that we just modified.
And what's going to happen here is just about nothing.
You can't really see any difference.
But now what it allows us to do
is go in and say analyze
computer now, or configure computer now.
I'm going to analyze computer now.
It asks me where
do I want to store the log. By default, it's going to
store it in the local administrator
or the person that's logged on
temp location.
So say okay.
It goes in and creates it pretty quickly.
And now
I can breeze through here.
Take a look at account policies.
Password policy.
And here I have
a whole bunch of red X's.
Red X means they don't match.
Okay. This isn't going to
tell you whether it's a good idea or a bad idea. Just have a look.
Hey, it doesn't match.
So enforced password history.
Database setting. 24 passwords remembered.
The computer is one password.
So obviously that's going to be much more secure
when we add in this template.
Maximum password age.
41 days versus 42 days. They don't match.
Actual computer setting is theoretically
more secure, or actually less secure I guess
because it's 42 days as opposed to
41 days.
Minimum password age. We can see why we have the red X's.
Down here with the green check mark
they're both disabled.
Green check mark means they match.
Okay. So red X means they don't match.
Green X means they do match.
And then if you don't have a red X or a green check mark
then that means that one of them
is not set. One of them is not defined.
So we come down here to Kerberos policy
where
the database is not defined but the computer
already has things defined.
We don't see anything here as far as a red X
or a green check mark.
So you've got to watch out for the red X's
and something that doesn't have anything
because this one's not defined
so it's not actually
going to apply anything over this.
It'll still have this. But if the database
had some
settings that you didn't like but you were already
not defined on your machine, it wouldn't show you
a red X. It would just be a blue.
So don't just go breezing through here looking for red X's.
You need to look at each setting
by itself. But the red X, the green check mark,
or nothing covering the little
blue bits on the white page
all indicate how the settings are.
So you can look at it at a glance and know how they're
going to match up.
The next thing that I could do here is if I went in
and
right click on here, I can now say
configure computer now. This is now going to
apply this template to the system.
It's now going to put
these settings in effect on the system.
Now here's the thing.
If I go in and configure the computer now
it's still not going to do a darn thing
to my system.
The reason for that is that this is
a domain controller in my own
little domain. Domain controllers
don't get their security or don't get their final
say on security from
the local settings. They get it from a group policy.
How many people
have worked with group policy before
this point?
Group policy takes
what we had in NT4 with our
policies, our security policies in NT4
and kind of jacks them up a little bit.
You can do a lot more
in here.
I'm going to take a look at
Active Directory users and
computers.
Let me get through
some of these slides first.
We've got our security templates. We already took a look at that.
Group policy. We'll take a look at
order of processing. How does group policy
process the order of the
containers and then modifying the
default application of group policy.
Group policy may not apply the way you want
by default. You can go in and modify a lot of
this. There's a lot of
chance to modify
how things go in Windows 2000.
Let's take a look at Active Directory users and computers.
I'm going to look at my
domain controller
OU
and click on group policy. Everybody see how I got there?
Active Directory users and computers tool.
I went to the domain controllers OU
and then properties. Now I'm going to group policy
and now I'm going to edit this group policy.
Now I'm looking at the domain
controller default group policy. This is what
it's applied by default. All I've done
on this machine, I installed Windows 2000.
I installed PowerPoint so I could show the slides
and I promoted it to a domain
controller. I installed DNS too so
it could be a domain controller. This is
basic default out of the box
server configuration.
If we go
into
computer Windows settings
under security settings
this is
where I'm going to apply
my security. This is where we're going to find our account
policies, our local policies
such as password policy and account lockout,
local policies such as
audit, user rights assignment.
This is something that really screwed me up about
two years ago, a year and a half or two years ago when I was
first figuring out Windows 2000
is that you used to just
go in and assign somebody their right to log on
locally in NT4. You just go to
user manager,
go to user rights and then set it up. This is
buried within the domain controller group
policy under
Windows settings, security settings,
local policies,
user rights assignment. This is
where you go in and give somebody the ability to log on
locally.
As you can see here, we've got TS Internet user,
iUser Freedom1. Freedom1 is the name of
my computer. Administrators, backup operators,
account operators.
Most of the default
administration security groups
and then our internet users.
By default, on the domain controller,
all of our internet users, our internet
guest accounts have the right to log
on locally to the computer. This is
because IIS is installed on Windows 2000
by default, but you would think that
domain controllers really shouldn't have that ability.
Yeah, go ahead.
I'm sorry?
Oh right, yeah, the Kerberos settings
for the domain controller by default
are stronger than the
default template, the basic
template.
For IIS, you have to have
the ability to log on locally for your
temp accounts, but you may want to go in
and remove these on your domain controllers
because you're probably not going to be running your
web server off your domain controller,
or at least I hope you're not.
That's one thing that you want to take a look at
for log on locally. They can also log on
as a batch job because that's what they need to be able to do.
This is where you
assign your user rights within the domain.
To assign user rights on a local
machine, you go to a similar
setting, user rights assignment under local policies
on the local security policy.
So this goes in and sets
your user rights
for the domain, and they have to be set at the domain
if you're a member of the domain.
So if you want to be able to log on to a domain controller,
you go to the domain controller
in order to log on locally.
Generally, you don't want a lot of people
being able to log on locally to the domain controller though, right?
I mean, you're not going to have everybody
working on domain controllers that should be locked away
and just a couple of the administrators going in
and working on that.
Okay, so this is our
domain controller
security settings
set in the group policy
for the domain controller.
Group policy objects.
A group policy object in
Windows 2000 is stored in Active Directory.
It's actually made up of two
different components.
Group policy object is made up of the
group policy container and the
group policy template.
The group policy container is the actual object
in the Active Directory database.
This is basically the pointer.
It provides version information, etc., etc.
Your group policy template is stored in the sysval
directory, and it has all the actual
settings of the group policy.
So with your group policies,
your group policy information,
the meat of it, is stored in the sysval directory,
whereas a pointer is stored in Active Directory
so you can link the
group policy, the actual settings,
to specific users
to specific computers, etc.,
within the domain.
So if you drill down through your sysval
directory under the
name of your
domain, you'll find the
group policy template.
The group policy template is named after
the 128-bit GUI D
that recognizes it as a unique
object. So when you drill down,
you're not going to have domain controller
GPO as the name. It's going to be a
128-character
GUI D as the name.
And the way the group policy happens,
or the way the group policy is applied,
is first,
it's furthest to
nearest with the exception of the computer.
So first, any computer settings are
applied when the machine is booting up.
It's then going to look for site-based
group policy, so any group policies
that are applied at the site are applied
next to this. It then moves down
to the domain level. Anything that's applied at the
domain will apply to this user
or computer, and then it moves down to the
OU. Within the OU is the organization
where units can be nested within each other.
If the organizational units are nested
within each other, then the parent OU applies
and then moves on down the line until
you get to the OU nearest to the
user or computer that it's applying to.
For this reason,
the local security that's set on
your domain controllers, when you go in and set
it locally on each individual machine,
that's applied first, and then
the site generally doesn't matter.
You're not going to apply a lot of group policies
at the site level, but anything that's
set at the domain level will apply next, and
then the set at the domain controller's OU
will override those settings.
So, by the time you get down to the domain
controller's OU, a lot of your settings have been
modified from whatever you set on the
local machine. Therefore, if you go in and modify
settings on the local machine, and then
you don't see them actually pop up on that machine,
this is why. Because the group policy
security settings
are overriding the local security settings.
Now, group policy
is going to apply differently over a
long period of time.
It can detect a slow network connection.
It can detect a slow network link using an algorithm.
If you want to know about that algorithm,
you can go to the Microsoft website.
They have a white paper that details
how that algorithm is used.
It basically sends different sized packets
and looks for the response time.
Determine whether a link should be considered slow.
If it's considered slow, then all that's
going to be applied is the security
and the administrative templates.
So, even if you've got a slow link,
any security that you set at the group policy level
is still going to be processed over that
slow network connection.
This is good because the security is always
going to be applied to the users.
This is bad because it's going to take them
an hour and a half to log in if you're not
careful with how many GPOs you apply
to an individual user or computer
and how slow their link is.
Group policy is going to set a flag
that will indicate the slow link
to the client-side extensions.
The client-side extensions will then only
process the security and the administrative
templates. Only the things that are turned
on by default over a slow network connection.
Now, what happens if you
have a conflict between group policy settings?
Actually, I talked about that briefly
in this slide here, but all group policy
settings apply unless there are conflicts.
So, if I have a group policy
that says the
run command should not be
allowed on the user desktop,
and then I have another group policy that says
that password complexity
should be enforced or should be
enabled, then both of those
are going to apply because there's no conflict.
There's two different settings.
It's not like one group policy
overwrites everything about the other group policy.
Only if there's a
conflict between the same setting between
two different group policies.
The last setting process that applies and the way that they're
applied in order is from bottom to top
within the container. So, first
the computer's local
security is going to be applied, then the
site. If there's more than one group policy at the site,
bottom to top in how they're
listed at the site level.
You'll then move on to the domain, bottom to top
as they're listed at the domain container,
and then each OU,
bottom to top within each OU if you have more than one
GPO. If you don't have more than one GPO,
obviously it's the only one, so it's the one that's going to be
applied.
Right, the reason for that is the one that's
on top is the one that's actually going to have
the final say. So, it
processes them bottom to top.
And you can reorder those in the way that
they're linked.
Let me show you that real quick.
If you go into who's asking, even if
there's one that's more restrictive,
why is it going to process bottom to top?
Okay, here I've got multiple,
I'll create a new domain,
new OU here, or GPO, I'm sorry.
So, I've got my two
GPOs here. This new one
doesn't have any settings in it. The default
domain controller has some settings in it.
What it's going to do is process this one first.
When it's done processing this one, it'll move
to the one right above it.
Okay, the reason for this is the one that's on top
is the one that's going to be final. If I wanted
to change the order of these, I could just click on
up here and reorder them.
Let me close out of this.
And anytime there's a conflict
for a setting, I'm sorry, go ahead.
.
No. No, you've got to have your
security settings
or your group policies
for 9x, and then you've got to
have the ones for 2000. Actually,
if you're using NT, 9x,
and 2000 clients, you still have
to use the policy editor for
95, the one for NT, and then group policy
for 2000. Okay.
Now, the cool thing is that 2000 will
apply, or will process the ones for NT.
So you don't have to go in and do group policy
right away if you've just got a couple
of 2000 clients.
It'll still process the NT stuff.
It's just that if you want to go to group policy,
we're going to just slowly move everything over
as you move your clients over to 2000.
But if you're still going to have 95, 98 clients,
a lot of people are probably going to still
stay with the policy editor, the group policy
from 9x
and NT. Yeah, go ahead.
.
.
Then you're still going to use the
policy, the NT policies.
Yeah. Unless you've got a 2000
domain controller, you can't use group policy.
.
And if there's any
conflict
between a setting that's intended for a computer
and a setting intended for a user,
then the computer setting is going to
apply. Okay. There's some things
that you can apply to both users and
computers with group policy.
The computer setting is going to
win over the user setting
anytime there's any
conflict. Before I move on to questions,
there's a couple other things that I wanted to demonstrate.
.
I told you those slides were short.
.
.
.
.
.
Okay, and actually here, let me
.
I'm demonstrating this on the default
domain controller
GPO, but these
sort of settings are available in every GPO.
You can go into your computer
setting under administrative templates. Your security settings
are where you can really lock things down.
You can specify
account lockout policy.
You can specify your
audit policy. Auditing
is covered in group policies now.
It's got to be enabled on the local machine.
It's got to be enabled by
an administrator. User rights.
And security options are where you're going to
do a lot of your settings.
I've already pointed out the log on
locally. You can deny log on locally.
So if somebody had this
allow log on locally set
at a different GPO that applied to them,
you can specifically deny log
on locally to a group of users.
So you can specifically allow
the administrators that you want to be able to log on
to a machine and allow them
and then specifically deny everybody else
if that's your bag.
.
You can log on locally.
Allow things to log on as best job log on
as a service. Under security
options here. I'm just going through these
briefly. Additional
restrictions for anonymous connections.
So you can go in and
specify do not allow enumeration
of SAM accounts and shares. That's kind of
a good idea. No access without explicit
anonymous permissions.
Not so bad either. So you can set
that sort of thing.
. You can say
allow server operators to schedule tasks
on domain controllers. Allow systems
to be shut down without having to log on.
Generally you don't want that allowed on your
domain controllers or most of your
servers.
Auditing access from user to change password
before expiration.
You can specify how long they're going to
or how long before expiration they're going to
get a notification.
Secure channel using
digitally encrypted secure channels.
SMBs that have a digital
signature.
.
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policies you can specify new ipsec policies and have them applied and enforced across multiple
machines okay so a lot of things that you can do on the local machine you can set in group policy
and have that applied across the board to a number of users okay on top of all the security the
things that we used to see in nt4 when we went into the policy editor our administrative templates
we can do things like uh first of all for windows components we can lock down that meeting
specify uh to disable remote desktop sharing internet explorer test schedule etc nothing
really exciting in there you can set settings on some default applications log on how to run log
on scripts delete cache copies of roaming profiles and how often timeout for dialogue boxes prompt
user when slow link is detected things like that disk quotas which is new for ntfs in windows 2000
you can lock down
box
by partition by the c drive the d drive etc on a specific machine who has uh what amount of
space on that dns client whether or not to specify the uh the primary dns suffix group policy how the
group policy is going to be applied this is going to be important once you set up group policy
how do you want group policy to be applied how do you want it to be processed windows file protection
something new for windows 2000 we have windows file protection if you delete or try to modify
specific
files on the opera from the operating system from uh system files then it'll go in and try to restore
them for you this is where you can set how this is going to be handled okay
okay there we go so windows file protection scanning on or off hide the file scan progress
window so the user doesn't see it happening limit windows file protection cache size how much of a
cache is it going to allow and specify windows file protection cache location
where you're going to use it one of the great things under administer under uh our administrative
templates is that every policy has an explain tab and unlike previous versions it's not like
one sentence saying this is how you specify windows file protection cache okay it gives
you a couple paragraphs some of these are good some of them you know some are more details some
are less detailed but it actually gives you an explanation of what the heck you're just about to
do okay the administrative templates are even more powerful for uh users to use when you're going to use thisジ.jpg
where you can do things like
start menu and taskbar.
Remove the user's folders from the start menu.
Disable and remove links to Windows Update.
This is one I really like.
I don't like my users going in
and trying to do the Windows Update all the time.
Remove common program groups from start menu.
Remove documents from start menu.
Remove the run command.
Remove help.
Add log off to the start menu.
Under NT4, you can specify
which applications users were allowed to run.
With 2000, you can specify,
okay, they are allowed to run these applications,
but more importantly,
you can now say they're not allowed to run these.
So you can put things like command.exe
and cmd.exe on the do not run list.
Once you remove the run prompt,
users try to get in and run the command.exe or cmd
to get a command prompt or whatever they're trying to do.
You say, okay, well, you can't run that.
You can't use that.
Disable personalized menus.
How many people are really glad
that personalized menus have been added
to the operating system?
Yeah, you can disable those for all of your users.
There's nothing like a user calling you up and saying,
well, I was using it yesterday,
or I saw it yesterday,
but now it's not on my menu.
I think somebody was messing with my computer.
Well, no, you have personalized menus.
Click on the little chevrons at the bottom,
and they're all amazed.
Oh, wow, there it is.
I found it.
So you can disable the personalized menus
if you are starting to see any sort of problems
with the personalized menus.
Add the run command.
Run a separate memory space to the run box
if you've got some older applications.
And grade the unavailable Windows installer programs,
start menu shortcuts, et cetera.
Desktop, you can specify what you're going to do
with the desktop.
Hide the Internet Explorer icon on the desktop
so that they don't go out browsing the web as easily.
Hide My Network Places so they don't go
and accidentally find something on the network
or accidentally remove something from the network.
Remove My Documents.
Do not add shares of recently opened documents.
Disable Adding, Dragging, Drafting, and Closing
the Taskbar's Toolbars.
Disable Adjusting Desktop Toolbars.
This is a godsend for anybody that's had somebody
accidentally lose their taskbar.
You go down, they've lost it somewhere.
Well, they've got it set to auto-hide,
and it's up on the top or over on the right-hand side
or what have you.
Control, oh, and underneath Desktop,
we can also go into Active Desktop
and specify what they're allowed to do with Active Desktop.
I don't know what they're allowed to do with Active Directory.
Hide the Active Directory folder.
Enable Find, or enable a filter in the Find dialog box
and make them size of Active Directory searches.
In Windows 2000, Active Directory isn't just
where you keep your security information.
Theoretically, it's going to be where you save
all of your information on users and objects
that exist in your domain.
So, theoretically, you want your users
searching Active Directory for when they're looking
for a printer or when they're looking for a shared folder
or when they're looking for another user's email address,
they can search Active Directory.
Well, you may want to lock that down a little bit.
Control panel, you can control what people are allowed to do.
First of all, disable control panel for your users.
Hide specified control panel applets,
so only specify control panel applets.
What they can do with add-remove programs,
what they can do with the display.
Real fun trick to play with your users,
go in and disable all of the tabs,
but not the display icon.
That way, they can open it up, but they don't get any tabs.
They can't actually do anything,
but they still see the icon.
I'm not recommending that you torture your users.
I'm just saying, if you wanted to,
that's one way you could.
Printers, you can disable the deletion of printers,
disable the addition of printers.
Default Active Directory path when searching for printers,
where do you want them to look?
This way, you can put all of your printers in one OU
and then have the users look,
okay, I'm looking for a printer.
It pops up all the printers.
And browse a common website to find printers.
We now have IPP, the Internet Printing Protocol,
allows your printers,
print servers, to publish their printers on the web
and allows your users to find them that way as well.
Okay.
Under network, you can specify network and dial-up connections
and offline files.
That's something that you'll want to get into.
Log on and log off,
how log on should, and log off should run.
Disable task manager, disable lock computer,
disable change password on their security dialog box,
disable log off.
Run log on scripts synchronously, legacy, hidden.
Run log on scripts visible.
Log off scripts visible.
Basically, how do you want this stuff to run?
Okay, then group policy,
how should group policy be applied for this specific user?
Okay.
Does anybody have any questions so far?
Yeah, go ahead.
Go ahead.
I'm sorry, can you discuss the...
Okay, you mean the anonymous enumeration of the SAM database?
Yeah, and also, the more specific you want to go back to,
you have to connect those.
Okay, hold on a second.
Let me get back into that.
Do you remember, or is that...
Yeah.
This one here, additional restrictions for anonymous connections?
Yeah.
There you go.
The do not allow enumeration of SAM accounts, and...
Yeah.
And shares.
Basically, don't allow somebody to come in over the network, and get the SAM database,
read the SAM database off of this server.
Okay, there's a number of...
From what I understand, there are a number of attacks where you just go in, get the SAM
database, and then run whatever sort of password cracking, brute force attack, or whatever you
want to do on the SAM database.
So not allowing the enumeration of the SAM accounts in the network.
And share is not showing what SAM accounts, and what shares are available on the server.
And the one below that, no access without explicit anonymous permissions.
Basically, unless you have given an anonymous account permission to the resource, then don't
just provide the access.
Does anybody else have any questions?
Yeah, you in the blue hat.
.
Okay.
.
Go over IPsec?
Sure.
Hold on a second.
.
By default, IPsec, there are three default settings.
You've got client, which is respond only, secure server, and server.
Server means it's going to request IPsec communication between itself and another system.
Secure server, or require security, means it will not communicate unless they're using
IPsec.
What you want to do is you want to set client, or respond only, on all of your clients.
If you're going to be using IPsec on your servers, you want to set all of your clients to respond
only.
If you don't have one of these set, then it's not going to know what to do with IPsec,
and therefore it's not going to respond.
So by default, your Windows 2000 clients are not going to respond to an IPsec request.
It's not going to understand it, and therefore all communications from a server that's requiring
IPsec are not going to occur.
Or, if it's just requesting IPsec, then IPsec will never be used between the two.
So you need to set respond only.
Basically, that means if I have a server asking me to use IPsec, then I'll respond.
Looking at the more detailed properties of this setting, it's a default response rule.
We go ahead and edit this.
We can see that it'll use triple DES, SHA-1, MD5.
Default response rule simply replies to, if nothing else applies, then apply this one.
And this one basically says, yeah, but you've got to use some sort of security.
Looking at our general information, it's going to check for policy changes every 180 minutes.
So let me get back to the rules.
I can add a new rule.
Everything in Windows 2000 is a wizard, and this is no exception.
So it's a security role wizard.
Now you can go in and add something in addition to.
Okay.
So we've got the default response.
We've got two different types of tunnels with IPsec.
We've got end-to-end and point-to-point, or tunnel mode and transfer mode.
Tunnel mode means that from this server to this server.
This IPsec rule applies between these two servers.
If I specify this tunnel endpoint is specified by this IP address, then that means that if you use this rule,
you have to be communicating with the server that has this IP address.
So I'll put in some IP address here.
Say 10.9.8.7, just any random IP address.
Now it's going to ask the network type.
Is this for LAN?
Is this for remote access for all connections?
I'm going to leave it with all connections.
The authentication method.
Do you want to use Kerberos?
Do you want to use a certificate from a specific CA that has already been issued to you?
Or do you want to use a pre-shared key?
The least secure of these is the pre-shared key.
Basically, you both type in the same string of characters,
and as long as you both have the same string of characters, then you can communicate.
How do you share those characters?
Well, you send them over email, or you write them down on a piece of paper,
or you just tell them to the person, whisper them in their ear or whatever.
But you both have to have the same string.
The reason that this is less secure is that
if you have the pre-shared key from one end, then you have the key for both ends.
Kerberos, you have to be using either Windows 2000 servers or Unix operating in a Kerberos realm.
You have to be able to use Kerberos for authentication.
Or you can use a certificate from a specific CA.
We don't have any certificates on here.
I haven't installed this as a CA, so we don't have any certificates.
So let's go ahead and use...
A pre-shared key.
Again, this is the least secure, so I wouldn't recommend this.
And a pre-shared key will say, hi.
Really not secure.
Two characters.
And then the filter list.
What protocols are we going to filter based on?
Do I want to go with all ICMP traffic and allow or deny it?
Do I want to go with all IP traffic?
I'm going to actually go with...
All IP traffic.
Based on all IP traffic.
I'm going to request security.
Those are my two rules.
I've got the all IP traffic, which means I'm going to request security.
And then my dynamic.
Now I've modified my client default policy.
So we'll go ahead and say close.
And now it's not actually just going to respond.
It's got a rule in there that's going to request security.
If I want to create a new policy of my own, I just right-click, create IP security policy.
And it gives me another one.
It gives me the wizard.
It allows me to walk through there.
I'm going to cancel out of that.
You have to enable one of these in order to have IP stack working.
You have to at least assign client, which is respond only.
These are very vague, very general policies.
If you want to lock things down a little bit further, go in and create your own policy or modify these.
A client is just going to respond to anything that asks for IP stack communication.
If you ask me for IP stack, I'll respond.
I can use IP stack.
I know how to do that.
Server is going to request security.
That means every communication is going to say, hey, how about we use IP stack?
It's going to propose the idea.
If it doesn't get a response as far as yes or no,
then it's not going to respond.
It'll just say, okay, well, we're not going to use IP stack, and we'll go ahead and communicate.
If it says, yes, I'll use IP stack, and they're not compatible, then they'll go ahead and communicate with IP stack.
If it says, yes, I'll use IP stack, and they're compatible, then they can communicate.
Secure server, which is require security, is going to, it's just that.
It requires security.
It's going to say, hey, let's use IP stack.
If the respond or the destination says, no, I don't want to use IP stack, or no, I don't understand what IP stack is,
or yes, let's use IP stack, but here's my,
I want to use a pre-shared key, then it's going to say, sorry, no, I can't communicate.
Unless we have IP stack, unless we can use IP stack, then we're not going to communicate.
So secure server is going to be the least compatible with everybody else
because it has to use IP stack in order to communicate.
Server is going to try.
It's going to make its best effort, but it's not going to require it.
Client side is respond only.
It's going to say, yeah, if you want to use IP stack, I'm happy to,
but otherwise, I'm happy not to as well.
Does that answer your question, any on IP stack?
Does anybody else have any questions?
Go ahead.
Yes.
Yes, Microsoft is using the standard with IP stack.
You can use any sort of Kerberos, whether you're working with a Kerberos realm.
You can also use certificates.
Or a pre-shared key.
And it will work with hardware-based IP stack or other implementations.
It's not a Microsoft-specific or proprietary version of IP stack.
Yeah, go ahead.
.
I'm sorry, say that again.
.
I don't know.
I'm imagining it's the iUser or iWatch.
It's the iWiM, but I don't know that specifically.
Yeah, go ahead.
Those are installed with double IS.
Those allow anonymous access.
So when you go to the web server with your client,
it's basically coming in using one of those accounts,
depending on the type of access that you're asking for from the double IS server.
Go ahead.
.
.
Are there any command line you chose for what?
.
For group policy modification?
You can modify your group policy using command line.
I think there's a tool in the resource kit that allows you to go in and create a group policy.
You can do a lot of things with Active Directory.
You can modify a lot of things in Active Directory
using basic LDAP queries and LDAP modification.
And there's a number of tools in the resource kit,
the 2000 resource kit that help you to do.
They're trying to get everything to be,
as far as I can tell,
they're trying to get it to the point where you can use a command line
to do a lot of this stuff.
.
Yeah, yeah.
Any other questions?
.
Yeah, go ahead.
.
One thing I would do,
I would go in and create a template,
security template,
and then apply that to all of your organizations.
That's going to save you a little bit of time
because now you can just say,
okay, this is the level of security we want,
and it's like stamping it on every workstation.
That'll save you some time from having to go in and modify it.
Without Active Directory,
there are a lot of the capabilities of Windows 2000,
all the new great stuff,
is because Active Directory allows you to do blah, blah, blah.
Hardware compatibility, plug and play,
be aware that Windows 2000 is plug and play compatible,
and NT4 wasn't,
and all the implications of that.
As far as best practices,
I would treat them mostly like NT workstations
with the compatibility of hardware and applications of 98.
Know that 2000 out of the box is more secure
and more restrictive than NT was,
so applications that worked under NT may not work under 2000.
For the most part,
I mean, if you're all on the dice and it's 95 or NT,
it's going to be a lot more compatible
with applications that were compatible under NT.
There's just some applications that wrote to other registry keys
that 2000's not going to allow anymore.
Subtrees or subkeys of htlm and hkeycurrentuser
that 2000's not going to allow,
so just be careful with that.
Have you done testing yet with your applications?
I'd get a 2000 box and do testing
and see how the application's run.
You're most likely going to be able to run most of your applications with 2000,
if not all of them,
but just be aware of that.
There are some differences,
so it's not going to be as smooth as you'd like it to be,
or it may not be.
What's that?
There's problems with CAD tools with 2000?
Do you have any specific CAD tools?
AutoCAD?
Okay, so do you use AutoCAD at all?
No? Okay.
You may want to be aware of that.
Yeah, go ahead.
.
With what?
.
Right.
.
Yeah, that's another thing,
is that if you're managing your 2000 professional clients,
you can get the administration tools off the CD
and install them on your NT box.
If you're running NT on your workstation,
you can throw the administration tools on there
and still administer the different desktops
around your client.
You can create an MMC and have computer management
and disk management for all of your client desktops.
Yeah, go ahead.
.
.
Yeah, he was saying that as an administrator,
you install an application,
the user goes in to use it,
and it won't run because you installed it
under administrative credentials.
Is that what you're asking?
And how do you get around that?
You can make the user a member
of the administrators group temporarily.
You log on as them,
install the application.
A lot of times, it's just user account mapping
that is a problem.
If that doesn't work for you,
obviously, editing the registry,
which is a big pain in the tail side.
Yeah, go ahead.
.
The group policy management, yeah.
You can install Active Directory users and computers.
Basically, go to the Windows 2000 Server City,
Server Advanced Server City,
and there's an admin pack that MSI
in the i386 directory.
Install that, and that'll give you all of the tools.
.
All the MMC snap-ins plus a number of other tools
that aren't specifically snap-ins.
Go ahead.
Yeah, you.
.
.
Yeah.
That's a good point.
It's easier if you need to edit the registry
for a number of users.
We were looking at the GPO.
You can actually modify the registry in the GPO
and then apply that GPO to a number of users.
You can actually go out
and download GPOs that'll give you compatibility
with legacy applications.
Yeah, thank you.
That's a good point.
Go ahead.
.
I don't know.
Sorry.
Go ahead.
.
I don't see any reason not to.
I mean, just traffic and workload.
I mean, if you're running 20 applications
and switching between them,
and you're also using that as your only domain controller,
then obviously you can run into issues.
.
.
.
Yeah, I mean other than licensing issues,
it's gonna cost you more.
You'll have the tools available just by take it.
It's all professional in your machine.
Take the tools from the CD and throw them on there.
You're gonna have all the tools.
If you really need to work directly on the server,
then throw a terminal server
on some of your file and print servers
under administrative control mode,
you go ahead and down.
in and you can you have two sessions that can only be used by an administrator and then just
open up a terminal session and you've got the server desktop on your desktop so as far as
it's going to cost you more to have server on your desktop but if that's not an issue then
go ahead and try it but you get all the tools on a professional machine or even on an nt machine
theoretically so there's not really a need to but if you find a need to i don't see any downside to
it other than the cost any other questions yeah right
for the page file yeah
right you'll also run into problems if you've already if you already have he was saying
uh that he's run into problems he removed the everyone full control from c and then it wouldn't
give him permission to the page file and he had to go in and add system you'll also run into
problems if you already have users who've logged into that machine under documents and settings
if you remove the everyone full control uh they may not be able to uh access the system because
they now they are lose access to uh the documents and settings which is where their profile starts
so they can't access the system and they can't access the system and they can't access the
they can't log on because of that so uh when you remove the everyone full control from c drive you'd
need to go in and do a little bit of tweaking add system account to a couple places and add
authenticated users uh to a couple places to give access that way yeah go ahead
so what you're saying is that you uh created the policy
it applied just fine you modified the policy and the modifications didn't go down um i've
heard a lot of people say that you've created the policy and the modifications didn't go down
i've heard of uh that happening before it i've also heard of it not happening so i'm not sure
does anybody know what uh what he's running into there
and i made sure even because i don't know if the secretization works or not
that i've manually copied it um to all possible script directories
i know i've got an updated one in all possible spots
so do you want to
yeah i'd be happy to he was saying that uh what he's okay
okay anybody else have any questions
no other questions anything else you guys want to know about windows 2000 any
curiosities questions i mean we've got another 20 minutes here yeah go ahead
what your experience would be from the
um he asked what's my experience with the encrypted file system
i've used it a little bit and uh to be honest with you it scares me a little bit
because users can just go in and encrypt a file um theoretically the domain administrator is the
recovery agent the default recovery agent for the uh encrypted file system i've had
2 000 professional machines where i've gone in and
uh set it up and the local administrator account was not the
uh recovery agent but i was still able to i just had a random user account and i was
able to encrypt the files um the local administrator account was not the default recovery the recovery
agent i went and looked for that i couldn't find uh that anywhere so i'm not sure how
that was working um i've also heard people talk about uh using efs uh user leaves you
delete their account yeah the
uh administrator account is by default the uh recovery agent and the recovery agent can go in
and recover it but it's uh sort of a technically possible but logistically hell to go in and
recover files that a user has encrypted and then you can't recover from that as far as working
i have yet to find a file that i wasn't able to recover when working with it i've
not heard of anybody talking about they couldn't recover
a file uh eventually um it's just more of a logistically doesn't work as well as uh you'd
like it to any other questions yeah go ahead um for locking down a windows 2000 system not
specifically for locking down a windows 2000 system i would recommend if you're uh just
starting out with a 2000 uh server or even if you've been working with it for a while uh mark
manassi wrote a book uh manassas.com.
in windows 2000 server i think it's in like fifth edition now um
he basically just goes through and goes okay listen this is how it is this is how it works
as far as i understand it he's been doing this since since i believe uh nt351 even possibly
before that he did a version for nt4 he's got a newsletter you can go to manassi.com
and find out all sorts of updates of little security holes that people have found
uh problems people have found with advanced server i'm sorry with that adventure rules
but with active directory things like that and it's sort of a plain language hey this is how i see it
with uh 2000 and it's from somebody that's been working with this stuff understands it
at a much more molecular level uh than most and so therefore
has some pretty good insights from what i've seen he's pointed things out that i haven't found
elsewhere so uh i'm sorry um manassi.com m-i-n-a-s-i dot com uh and it's by mark manassi
uh a little hint if you go to lcis.booksonline.com you can order he's got a uh it's called the mark
manassi uh resource kit and it's got mastering 2000 advanced server mastering active directory
mastering professional you can get that as a kit for 10 bucks and then you have to order one more
book and then you can quit the club so you get it's uh like 140 dollar set of books and you get
it for 10 bucks order another book for 20 bucks what's that
it's lcis library of computer information services or library of computer information
science dot booksonline.com and then you can order the there's a couple different sets of
books that you can get for 10 bucks to join the club it's sort of like a columbia house type of
thing where you order the books and then they keep sending you update cards they screwed you
okay so be careful because they might screw you because they screwed that
guy um they sent me my kit real quick and then they keep sending me the cards they just keep
saying no thank you right now i eventually have to buy a book and quit the club because i don't
really want these cards coming every month but i haven't gotten around to that yet so i haven't
actually ordered anything from beyond that but i got the kit and uh that's pretty good wait you
gotta yell though so any problems with replication uh do bear in the woods yeah there's uh there's uh
with 2002 um there's talk of limiting it to i think two domain controllers per location or
something like that they lifted that because uh it was going to cause all sorts of other problems
as far as compared to 2000 the replication file replication service from
in windows 2000 is a lot better than replication and nt4 the domain controllers replicate
pretty well unless you have a slow link between them or unless you go and try screwing around with
the replication topology there's something called the kcc the knowledge consistency checker
goes in and checks the replication make sure that every domain controller replicates with
every other domain controller within three hops it's not always perfect but it's a lot better than
if you go in and create a whole bunch of connections yourself because you create
those connections yourself and then things change it's not going to challenge that go ahead
hold on one second i can't hear you
how do you replace your switch with a hub
he says when uh he uh set his uh microsoft had him replace the switch with a hub
if anything i think they would have you go the opposite direction
i
it's microsoft i'm sure they knew what they were doing and they had logical reason for doing it
any other questions
what's that
it's a three really yeah yeah nt is further up i knew but i thought i had
did it okay i was i must be thinking of something
something else because I thought I had three and I thought they had two more versions.
Maybe I had one and they came out with two more after that.
Go ahead.
To be honest with you, I just got lucky. I put the CD in and it worked, yeah.
Yeah. Now, it took me a while and you've got to
have patience. And actually, I didn't have a crossover cable
or a terminated cable. And in order to install Active Directory,
it has to recognize network as being there. It doesn't actually have to be able to communicate
with anything, but it has to recognize that a network is there.
And so what I did is I created a VPN to itself, set it up a VPN server, a VPN client, had
a VPN into itself to 127.0.0.1. Then it had a network and then I was able to
install Active Directory just fine. So if you're ever setting it up on a laptop
and you want to do that, that's something I figured out like Friday night when I was
on the phone.
Or Thursday night when I was on the plane, or Thursday night when I was on the plane.
Any other questions? Go ahead.
Take you through what? NAT, the network address translation?
Okay. I wasn't sure if you were saying NAT or DAT.
So yeah, no, that's no problem.
Let me get out of all of this. Yeah, it's actually pretty easy to install
NAT on 2000. I don't have two network connections, so
I'm not going to be able to walk you all the way through it.
But let's see how far we can get. We're going to go into routing and remote
access. Here, what we're doing is we're installing
network address translation services. Specify the server.
And now, just for fun, I'm going to do this a long way.
We'll go and configure and enable routing and remote access.
Now, I could just say, set it up as a internet connection server.
I'm going to start to walk through this and then I'm going to back out.
Say set it up as a NAT server. Here, I'll do it both ways.
Set up the router with network address translation.
Specify the internet connection. Actually, here, I'll create a new
demand dial internet connection. You chose to create a demand dial
connection to start the demand dial interface wizard.
Blah, blah, blah. Let's see if I can create this.
I love that everything is set up in the same way.
Everything in Windows 2000 can be done with a wizard because you don't
have to think so much. And that way, you can think about other
things like how to surf or where to surf. Just kidding.
What's that?
Also, if anybody knows how to repair an internal modem, I busted mine.
So, dial up credentials. Okay, this is the best account to use for this.
Okay.
Okay, so now I've got a NAT server set up that way.
Go into routing, NAT, and here we see our remote router is the internet and the
local network.
And the local area connection is my local.
That's the easy way if you're not using anything else.
But if you're already using router remote access on your server, you can't just
walk through that wizard as easily.
So, I'm going to set it up as if we already have it set up as a general router,
and then I'll show you how to set up NAT.
It's actually really easy. It's just a little bit different.
Okay, so configure and enable router remote access server.
Manually configure server there.
There we go.
Finish.
It's not going to have anything.
Start the service.
Oh, by the way, if you have a laptop and you don't like the mouse on there,
this thing is really cool.
It's a handheld mouse.
The roller ball is on top with your thumb, and then your trigger finger is a left click,
and then you've got a left click and right click on there.
So, I like it, so I figured I'd tell you guys about it.
I don't even know who makes it.
I got mine at cyberguys.com, I think.
It's like $10 or $20.
It's not even that bad as far as mice are concerned.
It's about the cost of a mouse.
So, we're going to IP routing here.
Go to general.
Say new routing protocol.
Everybody with me so far?
Okay, so new routing protocol.
Network address translation.
I'll say okay.
I then go into NAT.
Say new interface.
Specify the local area of connection.
I'm going to say, okay, this is my private interface for the private network.
I would then, and this is the part I'm not going to be able to do,
I would then go in, say new interface,
and select my external interface that's going out to the internet.
Once I have that,
configure it.
Actually, let me change this to my public interface.
I'm going to tell it to translate TCP UDP headers.
And I'm going to specify the address pool from which it can choose.
This is the external addresses.
Any reservations.
You need to have a range before you have a reservation.
Okay, so I'll go in.
Okay, so these are the range.
I've got a class C, for example, 1 through 254.
Reservations I can reserve.
And I'm saying, okay, 192.168.
What was it?
76.10.
Maps to one specific computer on the internal network.
So I'll say 10.9.8.7.
Allow incoming access to this address.
That means anything that you receive on the NAT server for this specific IP address
will be redirected to this specific internal server.
So you can redirect an entire address from your address pool.
Or if you only have one address or if you have multiple addresses
but you only want to redirect one port,
you can go in and say special ports.
I want to redirect, say, TCP port 80 to this port on this server.
So your NAT server can handle, you know, your incoming SMTP, your POP3,
your IMAP, your HTTP requests and redirect those to a specific internal server
without exposing its ports.
Or more importantly, its internal IP address to the external network or to the Internet.
Any other questions?
Go ahead.
Yeah, it's really easy to set up.
On your home machine, if you're running 2000 on your home machine,
you go into Settings to Network and Dial-up Connections.
Make a new connection, and it'll just walk you through it.
I mean, it's a wizard again.
So connect to a private network.
This is, again, if you're running 2,000, if you're running another operating system,
then obviously it wouldn't be the same.
Specify how you're going to connect, whether you're dialing up
or whether you're going over the Internet.
Specify an IP address.
Specify a host name there.
For all users or only for myself?
If it's for all users, then anybody that logs on can use it.
If it's only for myself, then only I can use it when I log on.
Enable Internet connection sharing.
This enables other computers on my homeland to connect to the network through me.
If I don't enable that, then I'm the only one that can use this connection.
If you do, it's going to ask you if you want to enable on-demand dialing,
and it'll reset the port, your local interface, to 192.168.
192.168.0.1, and then hand out IP addresses.
It'll try to hand out IP addresses to everybody else on your network.
You can go in and just disable that, change it back to whatever you had it,
but it'll do that by default.
And then it'll try to dial.
Set up a VPN server through router remote access at work.
Very straightforward.
I haven't done it from home to work yet because I don't have anything to do at work.
I mean, I'm a teacher.
I'm in the classroom all the time.
But I've set it up in classroom environments and in test labs, and it was real simple.
Yeah, I believe so.
Yeah.
The browser service might not work as well that way.
In other words, you wouldn't be able to use network neighborhood,
but if you knew the path, then you'd be able to use a UNC path.
Any other questions?
Any other questions?
Um, actually, I don't.
Um, you can, I mean, I do have an email address, but it's my, what do I think?
You can email me at don'task, D-O-N-T-A-S-K, at rocketmail.com.
If you have any comments or questions or, uh, as a matter of fact,
if anybody that wants a copy of my slide presentation, again, it was kind of brief,
so you may not, but if you do want a copy of it, send me an email.
Again, at don'task.
Ask, D-O-N-T-A-S-K, at rocketmail, like rocket, like mail, dot com,
and I'll be happy to email you this slide presentation,
or if accidentally thereof, if I lose it, I'll recreate it real quick.
Yeah, go ahead.
The built-in packet filtering, you can just go in and set up.
I'm not sure how robust it is or how reliable.
I haven't had, uh, any opportunity to really put it through its paces.
I know, uh, when I've set up, uh, filtering in the past, it hasn't, uh,
and somebody's run a port scan against me, it still, still shows those ports as available,
but they haven't been able to connect over them.
I'm sorry?
I'm sorry?
I didn't notice such, but, oh, I mean, we were just playing.
I haven't had a chance to really put it through its paces.
So, and to set it up, you just go into advanced TCPIP properties.
To TCPIP filtering, to properties, and you specify what you're going to filter.
Okay.
Okay.
Okay.
Okay.
How do you mean?
Um.
Right, no.
Permit only, yeah, no, it's, you can't block just, like, one port using this.
Your best bet, if you just want to block ports, just a firewall.
There's a ton of, you can get a, what's that one that's free?
Um.
Um.
Zone alarm.
You can get zone alarm for free.
Uh, and it works pretty well.
You can just, there's a button on there you click and say block everything, and it's not
the absolute most secure firewall, but it's better than what you've got now if you don't
have anything.
Any other questions?
Okay, let's all flee, oh yeah, go ahead.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
IPsec will not go through NAT.
So yeah, if you're using IPsec you have to go to NAT, to the NAT Server and then...
You can either, you can have NAT up to the server and then a separate, or IPsec up to
the NAT Server and a separate IPsec connection from the NAT Server on, but IPsec won't
go through NAT because you can't do the translation.
Go ahead.
Okay.
Yeah.
Yeah, there's probably product out there.
It won't go through Microsoft's implementation of NAT.
But, again, you can go up to the NAT server and then IPsec from there,
but that can be kind of a hassle.
Any other questions?
Okay, let's all flee for the air conditioning of the indoors.
Thank you.
Again, if you have any questions or comments.
Thank you.
